Description
Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42)
peer key, the peer key is not properly checked for the subgroup membership.

Impact summary: A malicious peer which presents an X9.42 key carrying the
victim's p and g parameters, a forged q = r (a small prime factor of the
cofactor (p−1)/q_local), and a public value Y of order r can recover the
victim's private key after a small number of key exchange attempts.

When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the
subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's
own q parameter, not the local key's q. The peer's domain parameters are
then matched against the domain parameters of the private key, but the value
of q is not compared.

A malicious peer who presents an X9.42 key carrying the victim's p, g,
a forged q = r (a small prime factor of the cofactor), and a public
value Y of order r passes all checks. The shared secret then takes only
r distinct values, leaking priv mod r. Repeating for each small-prime
factor of the cofactor and combining via CRT recovers the full private
key (Lim–Lee / small-subgroup-confinement attack).

The realistic attack surface is narrow: principally CMP deployments with
long-lived RA/CA DHX keys and bespoke enterprise or government applications
using X9.42 DHX static keys with interactive protocols and therefore this
issue was assigned Low severity.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this
issue.
Published: 2026-06-09
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

During the Diffie‑Hellman key exchange implemented in OpenSSL, the function EVP_PKEY_derive_set_peer() fails to verify that the peer’s subgroup parameters match the local key. A malicious peer can craft an X9.42 key that uses the victim’s p and g values but substitutes its own small q parameter and a public value Y of that small order. Because the subgroup membership test uses the peer’s q instead of the local q, the bogus key passes all checks. The resulting shared secret has only a few possible values, allowing the attacker to recover the victim’s private DH key after a handful of exchanges, and by repeating the process for each small subgroup can reconstruct the full key using the Chinese remainder theorem.

Affected Systems

All OpenSSL FIPS modules up to and including 4.0, 3.6, 3.5, 3.4, and 3.0 are affected. Systems that deploy X9.42 DHX static keys – commonly found in certificate‑management protocols and some government or enterprise applications – are directly exposed.

Risk and Exploitability

The vulnerability is not listed in the CISA KEV catalog and has an EPSS score of < 1%, indicating a very low probability of exploitation. The risk is limited to environments that use static X9.42 DHX keys with custom domain parameters; an attacker must actively engage in the key exchange with a malicious peer. Typical internet traffic is largely unaffected, and the CVSS score of 3.7 reflects low severity. However, in the narrow attack surface where the conditions are met, an attacker can recover the private DH key after only a few exchanges.

Generated by OpenCVE AI on June 11, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenSSL to the latest patch level that implements the corrected subgroup validation logic (the referenced GitHub commits provide the fix). This also covers the FIPS modules where the defect existed.
  • Verify that any custom application libraries are rebuilt against the updated OpenSSL build and that EVP_PKEY_derive_set_peer() now uses the local q for subgroup checks.
  • Where possible, avoid using static X9.42 DHX keys; switch to dynamic key agreement or use standard groups (e.g., X9.62 or 2048‑bit MODP) that are known to be properly validated. In environments where static keys remain required, enable application‑level validation that rejects peer keys with mismatched q values.

Generated by OpenCVE AI on June 11, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6335-1 openssl security update
Ubuntu USN Ubuntu USN USN-8414-1 OpenSSL vulnerabilities
History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:4.0.0:-:*:*:*:*:*:*

Thu, 11 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-354
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 10 Jun 2026 08:30:00 +0000

Type Values Removed Values Added
References

Wed, 10 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
References

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Openssl
Openssl openssl
Vendors & Products Openssl
Openssl openssl

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.
Title FFC-DH Peer Validation Uses Attacker-Supplied q
Weaknesses CWE-325
References

Subscriptions

Openssl Openssl
cve-icon MITRE

Status: PUBLISHED

Assigner: openssl

Published:

Updated: 2026-06-10T07:48:07.613Z

Reserved: 2026-04-29T09:22:27.969Z

Link: CVE-2026-42770

cve-icon Vulnrichment

Updated: 2026-06-09T19:34:36.935Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T17:17:08.523

Modified: 2026-06-16T02:58:00.133

Link: CVE-2026-42770

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-09T00:00:00Z

Links: CVE-2026-42770 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T02:30:02Z

Weaknesses
  • CWE-325

    Missing Cryptographic Step

  • CWE-354

    Improper Validation of Integrity Check Value